[PATCH openEuler-1.0-LTS] cifs: Fix an infinite loop in cifsd caused by a failed mount attempt on port 139

15 Mar 2025

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBSSQA
CVE: NA

----------------------------------------

If an error occurs when port 139 is used to mount the CIFS, the mount
process may racy with the reconnect process. If the mount process first
sets tcpStatus to CifsExiting and then the reconnect process sets
tcpStatus to CifsNeedReconnect later, the cifs_reconnect() function
enters an infinite loop and and the cifsd process cannot exit.

 mount.cifs                       cifsd
 ------------------------------------------------------------------
 cifs_do_mount
  cifs_smb3_do_mount
   cifs_mount
    mount_get_conns
     cifs_get_smb_ses
                          cifs_demultiplex_thread
      cifs_negotiate_protocol
       smb2_need_neg
       smb2_negotiate
        SMB2_negotiate
         cifs_send_recv
          compound_send_recv
           wait_for_response
                           cifs_read_from_socket
                            cifs_readv_from_socket
                             cifs_readv_from_socket
                              smb2_can_echo
                               cifs_reconnect
                                do {
                                generic_ip_connect
           cifs_sync_mid_result
            DeleteMidQEntry
             _cifs_mid_q_entry_release
              cifs_small_buf_release
    cifs_put_tcp_session
     tcpStatus = CifsExiting;
     // The status will not be changed later in mount.cifs.
                                ip_rfc1001_connect
                                 smb_send
                                  __smb_send_rqst
                                   tcpStatus = CifsNeedReconnect;
                                // infinite loop
                                } while (tcpStatus == CifsNeedReconnect)

This patch adds a check in __smb_send_rqst() to not change tcpStatus to
CifsNeedReconnect if tcpStatus is CifsExiting.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
---
 fs/cifs/transport.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index c74d6b577d95..7694056e5990 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -374,11 +374,14 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
 		/*
 		 * If we have only sent part of an SMB then the next SMB could
 		 * be taken as the remainder of this one. We need to kill the
 		 * socket so the server throws away the partial SMB
 		 */
-		server->tcpStatus = CifsNeedReconnect;
+		spin_lock(&GlobalMid_Lock);
+		if (server->tcpStatus != CifsExiting)
+			server->tcpStatus = CifsNeedReconnect;
+		spin_unlock(&GlobalMid_Lock);
 		trace_smb3_partial_send_reconnect(server->CurrentMid,
 						  server->hostname);
 	}
 smbd_done:
 	if (rc < 0 && rc != -EINTR)
-- 
2.34.3

    

Wang Zhaolong

patchwork bot

tags

participants (2)